Debian 4.0 version of Ruby is open to the, now widely known, Ruby security vulnerabilities. The bug is reported as 487238 in Debian s BTS, and is closed, since the version now in sid (version 1.8.7.22-1) is already fixed. Users of stable can apply the patch provided by Daniel Franke (it doesn t seem to fix all, but goes a long way). Apparently, this brought up (again) the rants over full disclosure. Indeed, what is vulnerable is not that hard to find, as Zed Shaw showed us, so, why not talk about it in a plain and bold form? Why just provide the CVE numbers and ask for everybody to upgrade? Zed goes more deep about the quality of C code, but that is not the issue I want to talk about As a Free and Open Source Software supporter (and developer), I can see the benefits of full disclosure. As a not-full-time webmaster, I can see the benefits of not having a proof-of-concept piece of code attached to the vulnerability report. Of course, there s a lot of things a webmaster can do to prevent having a machine completely compromised in case a security advisory is published with a proof-of-concept code in it (think about chrooting, randomized memory protection, security libraries, grsecurity, SELinux, etc) and my machines, although vulnerable to the bug, would not be fully compromised if exploited. I guess one should be prepared to whatever comes from the Internet Full disclosure, in this sense, have more pros than cons, IMHO. For instance it was not clear if Debian 4.0 were vulnerable There were no security advisory coming from Debian (and there s still not), and it is not promptly obvious if the version packaged is affected. I know that at least I wanted to run a proof-of-concept to check if my server is vulnerable or not before going all the way into packaging a fix (or backporting the sid version), and it was not until I read Matasano Chargen Blog that I could test older versions. But different people have different ideas

Here is a story people are bugging me to tell here: Since 2003, every year in fisl s last day we, Debian Brasil, hold a party to celebrate Debian s anniversary (I know it s on August, but it s probably the only opportunity we ll have to gather all the gang together so we do it in advance anyway). It s always something that draws everybody s attention in the conference I wonder if the pieces of cake we distribute have anything to do with it Anyway, this anecdote happened during fisl9.0 s party. I was there, helping by distributing cake and blowing our whistles when Jon Maddog Hall got there to check what s going on. I met Jon around 2001, in OpenBeach, an event that happens in Florian polis every year (and that Jon likes to attend)... he s the most pleasant guy, with lots of stories to tell. Since this years fisl was so intense, I barely had time to talk to him in fact, that was the first time we saw each other this year. We hug each other and were asking how s each other life s going and so, when Jon got his camera out of his pocket and asked some guy in the crowd to get our picture. I did the same. We exchanged some compliments and he left saying that he still had to work in his talk. Jon is quite a character. In fisl, every time he wanders around his picture is taken over one hundred times (I actually saw some father taking pictures of him holding his child like he were running for Senate or something, one time). So he left with some people around him and I think he d not seen what happened next. I turn towards Debian s booth, to resume the cake delivery when some guy in the crowd asked me to take a picture with him. And then another one and another. I believe my picture was taken another two or three times before I got to the booth. I can t believe! I was about to tell people Hey! I am nobody! Stop taking pictures with me What were they thinking? I imagine something like I don t know who this guy is, but if Maddog took a picture with him, he must be some one! was crossing their minds. When the party was over I went back to the Organization Committee room and told this story LTSP s Jim McQuillan (another good friend) told me I was Important by Association , and everybody just kept laughing at me because of that. I haven t got the time to tell Jon about it I hope he s reading. I think I am going to check what pictures people are uploading about fisl, to see if I can find myself on any ;-)

I gave Brenda a Palm TX, so she can better organize her life. As a plus, it is wi-fi aware, so all sorts of interesting things can be done. Sadly, though, it doesn t ship with a microphone (I still wonder why it s large enough to hold an embedded mic, just as Palm smartphones have). Lately, Brenda was talking about recording some sessions or holding her thoughts in one of those tiny memo-recorders, and this promptly stroke me as another gadget to stuff her purse ... then I remembered having read that Palm TX have all that is required to hold a microphone, but the microphone I retrieved the Palm Multi-Connector pinout from Wikipedia and realized that all I had to do was attach an electret microphone to 16 and 17 pins and there we go. I ordered a charging cable just for the connector and here are the pictures I took of the building process: The tools and pieces I used: It s easy to disassemble the connector. Take a close look at the attaching plastic hooks there are four of them: two outside, near the pins, and two inside near the cable. Last two are harder to detach, but once you ve detached the first ones, just hold the two pieces of the connector and easily shear them: one side will detach first. The microphone have two terminals that already hold enough soldering tin. Beware to solder the blue cable (the one that goes with pin 16 AGND) to the marked terminal of the microphone, and the red one (the one that goes with pin 17 MIC_IN) to the unmarked one. (In the picture, my cables are all black, but the wires inside are red or blue . I could not get a good picture of the terminal markings). I have dissolded the charging cables from pins 1, 3, 5, and 8, but that is up to you (you can just cut the main cable and leave the pins untouched). Also, while soldering the microphone cables to the connector, beware of using as little tin as possible. It ll be even easier if you remove the pin from the connector it s easy to do if you have small pliers and careful fingers. Try first with one of the other pins that will not be used. Solder the red one to pin 17 and the blue one to pin 16. I cut a piece of an old earphone cushion to close the charging cable hole (and to protect the microphone). Here is the final result: Now, for the recording software, there s a nice free software that does that perfectly for PalmOS: Better Recorder. Now Brenda can record her mind!

It has been some time since I ve blogged about Subversion and how I was finding it useful. I ve been using subversion and svk since about that time and I love it. Svk is really great and although it is more an off-line version control than a distributed one, it goes a long way for a former cvs user like myself. Lately, I ve been considering git (isn t everyone?). It was not until I moved to my own hosting (thus having to maintain two subversion trees: the new one and my company s old one) that the whole having a central repository started bothering me. Merging became complex, since now I have two central repositories, and while svk makes it a lot simpler (I just keep a mirror of the two repositories and use svk to merge between them), I began to realize that there should be a better way I ve watched (again) Linus git lecture at Google Tech Talks and decided I was going to try it. First thing that called my attention was how easy it is to share a repository: just copy the .git directory somewhere public (an http server, for instance), and there you have it. This is much easier than configuring modules for apache, or configuring svnserve (and I ve done that a lot in the past 3 years!). For the subversion-only user (one that has never used svk), the carry-all-the-repository-with-you thing may sound strange, but with svk, I was used to mirror the repository, so that s not an important change to me. I could not compare space utilization (and git is advertised for being more space-efficient) yet, but so far the git repositories seems to be a little smaller. I already found it easy to branch using svk (in fact, I used to do that a lot), but git branching is really a plus! You can switch back and forth inside the same working copy (actually I don t think it s correct to call that a working copy) and merging is rocket-fast! Maybe if svk could easily merge between two distinct users without requiring a subversion repository (think about the defunct svl), I would not have been trying git, but One thing that is really missing is the partial checkout. Actually I liked very much that svn/svk feature , and the clean and natural way which they treat directories and files. I understand git is designed with other priorities in mind, but, right now, that feels like missing to me. Maybe it s just a svn/svk habit. All in all, I found git very interesting I am not ready to switch from svn/svk yet, but I ll try git in small new projects and see if I can get used to it.

And fisl9.0 is over. This was a great one not only because of its size, but there were so many things at stake that I am positively surprised such a few went wrong. We ve got a lot to think until next one To begin with, there s a major difference between this inter-fisl time: we already know where next s going to be and how much it ll cost us. The event-center cost, as you can imagine, is the most expensive part of our budget, and knowing that in advance, I believe, will play an important role in our planning. Also, we got more time to plan for the next one: it ll be in June, not April, as usual. Moving back to PUCRS (from FIERGS) as fisl s event-center now I can say was scaring me to death. PUCRS is smaller and we were foreseeing a huge event. Guess what! The event was bigger than first imagined, and PUCRS held it without major drawbacks. Sure, lectures were crowded but they were already crowded at FIERGS anyway The expo had more people than FIERGS, but I am sure our sponsors did not think that was a problem ;-) Of course, not everything went OK I think we had two important problems to solve for next fisl: our network must be born already correctly configured for the streaming, and our wireless infrastructure must be stronger. The first one I already wrote about and I think it had to to with the inexperience of the network people this year: apparently they ve put everything under a crappy load-balancing and while this might work for web-surfing or sending small amounts of data, it just hurts anything that should be continuously transfered, like real-time videos. Here is a piece of advice: network planning involves the right amount of everything (the right amount of cables, the right amount of bandwidth, the right amount of uplinks), including the right amount of configuration! I think our network problems were more a case of overconfiguration than one of lack of skills. The problem with the wi-fi is deeper. Maybe I don t completely understand the technology (and people handling it were not very helpful). How do you manage an event like fisl in the wireless front? PUCRS have provided us with enough wi-fi to hold 1500 concurrent connections (so they say), and have reported we never had more than 400 concurrent connections and yet, as many people have reported, to connect our laptops was a hassle. I don t have a laptop, but I ve seem a lot of my friends trying to connect with no luck. During the second day, PUCRS wi-fi technicians told us that the problem was the Access-Points people brought to fisl (according to them there were more than 30) that were, somehow, messing with the channels they were using. So we reserved some channels to PUCRS and asked people to use other ones. I tend to believe that the majority of the people listened to our appeal and reconfigured their Access-Points but no improvement were reported. So, either PUCRS cannot hold more than 400 concurrent connections in their wi-fi system, or there s some other problem we ve not identified. What is the right thing to do? To forbid people to bring their own Access-Points? No way I am going to see the day fisl organizing committee will disallow people to carry their own communication devices!! There must be a better solution I think I am going to study wi-fi at least not to be easily fooled around by this messing the channels crap (please, comment to this article if you have any ideas). Finally, people are dreaming of a 10-thousand people fisl next year. I think it s not more than a dream but hey! When we made the first fisl, there were only 300 people it has been a 9-year long dream Maybe that 10-thousand one will come true, as the previous ones did. I will just add one more problem to our list: the first day long lines to get people s badges must be addressed in a creative way Thanks to all that came to fisl. See you next year!

They ve came down with a participant number for fisl9.0: 7417. That s it over SEVEN THOUSAND! I was told it s still an estimate, since they haven t merged the databases yet (anyway, that s the official number so far). This fisl is huge! One more picture of the crowd, just for the record: Now everything is fine. TVSL went online with no problems (once the network was fixed) and remained broadcasting the event the whole day long. All was so fine that one can think it s even boring! I spent half the day attending our company booth and the other half trying to help the organizing committee. While walking around, two linux-driven home-made robots called my attention. The first one serves water to the guy in front of it: The other one just walks around: On the Debian side of the trench , I met Jo o Eriberto Mota Filho, Debian Developer wannabe who asked me to sign his key. I ve seem he before, since he s a frequent speaker at fisl and welcome him as a future developer. Meanwhile I was reminded by faw that I still owe him my signature since DebConf4!! I signed so many keys in the KSP we held then, that one or two might have been missed I intend to fix that RSN ;-)

I have never seem so many people at fisl. Seriously! All the rooms were crowded, all the time same as the expo and the user-group area. Our official counter were stopped at 6667 participants, but that is just because we ve taken the registration database off-line in order to process new registrations on-site. By the end of fisl all the numbers will be summed up, but I heard rumors of 7 thousand people! Awesome! I spent this first day mostly in the TVSL room. We ve had problems with the network all day long. PUCRS technicians and our link providers personnel were trying to figure out where the problem seems to be. Being stuck with a non-functioning stuff, to me this day was mostly a sequence of frustrating attempts to get over the blockage. By the end of the day I was told that they were close to a solution It reminded me of our second year trying to stream fisl, as was best told by Fluendo s Thomas ... This just leads me to an unavoidable conclusion: our network sucks! I had to hear from a Brazilian friend who lives in Europe how wonderful her Gigabit network is grrrrrrr Bored as I was, I went walking around. That, surely, were the best part of fisl so far: meeting old friends. I had the most pleasant chat (yet quick) with Otavio Salvador and Felipe van de Wiel, both friends of long time. I took some pictures of the crowd: And, since I was not available in the morning, when the huge crowd was arriving, I took a picture of a picture taken by Marlon of this initial moments: (It is not really clear in this picture, but beyond the red gates there were as many people as inside)

We are at T-48h of fisl9.0, and everything starts to take form. I spent the whole afternoon getting our icecast infrastructure online. We ve got 6 servers, all with different bandwidth and not all with the same architecture The debian boxes were prevalent (4 of them 1 amd64 and 3 i386), all of them etch. We ll be able to follow the statistics at tvstats website (not all the servers are enlisted yet). In this process I found an evil bug in debian s icecast package, I will have to debug to understand it better: when relaying from a master server (which is our set-up), if the source stops feeding the master, the relay segfaults. The strace shows it just segfaults while pooling I got no explanation for it and I ll have to dissect it if I want to build a proper bug report. In the meantime, I installed the sarge-backports version, and it worked so, the bug report will have to wait until after fisl :-) I took some pictures to show how s everything being put together. Take a look: And some of the infrastructure crew: See you all there!

I ve been involved in TVSL (Free Software TV a streaming infrastructure for the fisl) since its beginning This time, while searching a way to embed IRC into a webpage for a internal project, I discovered mibbit an interesting IRC widget. Then I thought, It would be interesting to have that for fisl ... this is how I put together e-fisl. e-fisl is just a webpage with an embedded cortado player (via the beautiful MetaVid library ) and mibbit widget. I put it together just a few minutes ago, but I suspect it is going to be interesting to watch how people use it (the mount-points for the rooms are still not available as you ll notice). I am planning to have a bot in the #fisl channel to collect questions from the remote attendees ... I just have to check with the rest of the organizing committee if it will be possible to read these questions for the speaker during the session. It would be great

I can t possibly summarize all that has happened to me since my last post. The short explanation is that I had to serve in Brazilian army for a year, and that kind of disorganized my life. While I was in the army, I was forbidden to blog, and when that year ended, my life was too messy to keep up and I ve been procrastinating my come back! Now, finally, I am back. Just in time, I would say. fisl9.0 is about to begin. For this come back, somethings changed: my blog engine (from Rodin to Mephisto), my Gallery (it s gone sorry!), my domain (I ve moved from my company s webserver to my own), I will be publishing some entries in portuguese (in a separate section)... Hope you all enjoy. Happy hacking.

Since January 13th I am on my last vacation-time of my last year as a Radiology resident. I've received my certificate and have already been hired to work as a radiologist! Things are going fine and I even enjoyed some summer days on the beach. Pictures for these will be posted to my gallery soon.

Yesterday was my girlfriend first day as a Public Health-Social Worker resident and we gave her a "surprise party" both in celebration for this and for her birthday (that was on Jan 26th). We've planned this party this whole month, and since she is "too aware of everything around" it was not an easy task. She was really surprised and have not suspected anything. Pictures are already in my gallery. So, for the next two years, it's her turn to be somebody's slave. My residency took me three years (since radiology program is a bit longer than public health), and in the exact moment I finally stepped out, she steps in. All the patience that the last three years demanded from her are now my task, since I'll be demanded the same.

I am just too happy for her. Being a social worker without a residency in Brazil is living with an unfair sallary and a whole lot of poverty around. After these two years, things will be better for her (and for us), at least wrt the sallary.

Meanwhile, I've been working in flumotion and icecast2 for the Free Software Television - thanks wingo and karlH, for your patience -, watched the launch of another free software based internet TV called YSTV, released more videos from fisl6.0, and helped the Program Committee of fisl7.0.

WRT this last, we've closed the papers review process which is mainly driven by a computer calculated score based on reviews given by selected people. We do not interfere with the process, except that some of us were reviewers also for some tracks. We've notified the chosen and within this week they have to confirm, then we'll start publishing a partial program... We're using a home made free software we keep in our subversion called papers.

It's almost 2006. I can barely wait! This year was a really busy one and, although I don't expect my life to slow any down, there's always the hope for better days...

We've ended up 2005 in a pretty good shape: fisl7.0 promises to be the best of all, fisl6.0's videos were finally put online, the process that was leading to the buying of more than 5 thousand Windows/Office licenses by the National Congress was halted, the standards for the Brazilian digital tv is going open source, and, finally, the best of all: the "computer for all" project is a huge success.

All of the above are great, but this last one I point out for it's the largest digital inclusion project I know: It puts a pretty good computer (by brazilian standards) inside the home of anybody that can pay ~ R$ 60,00 (around US$ 25,00) a month for two years, with internet access and running a branded GNU/Linux. The reports have been great (e.g. one of the sellers sold 13 thousand units in a month while expecting to sell 5 thousand). I think this project is a major score!


And they have a pretty good logo also. :-)

I've been too busy the last two weeks. We prepared fisl6.0's videos to be served in our BitTorrent Tracker (courtesy of Hugo Cisneiros, who provided the fast connection and the bttrack server). And now they're officially uploaded. The first 80 videos can be download using BitTorrent at http://torrents.softwarelivre.org/.

Some of the best ones, IMHO, are Maddog's, David A. Wheeler's, David Heinemeier Hansson's (btw, the video he presented is here), Eric Raymond's, but there are many others I could enlist.

We had a lot of trouble with the recorded media. It was so that we just gave up on some videos... around 20% were lost due to bad recording or damaged media. It was so frustating that we decided to take a different path for fisl7.0: we'll encode the video on site. We'll not repeat the same mistake of getting them on DVD before and the converting later. Rather, we'll encode it directly in the encoding machine and, maybe, it will be available in the same night or the next day. We already have everything in place (after all, we stream the whole conference!), it's just a matter of generating a improved quality version and record it.

Using Theora, it will be needed a fast processing machine, but that we can rent for the 4 days of conference, and use it to encode both the stream version and the distribution version. Anything will be better than to loose a recorded talk due to bad media or bad recording... We're already choosing the hardware specification... W'll need at least 6 of those powerful machines (since we'll have at least 6 simultaneous rooms).

Gosh! I'm already looking forward the next fisl!!

fisl7.0 - the 7th edition of the International Free Software Forum, is increasing the pace. They've issued their call for papers (please help digging it up) and their website. This year they're moving to a place twice bigger than PUCRS (the place it used to happen). Everything's pointing towards another great event.

I am still playing with GStreamer and Icecast, for this edition the Free Software TV promises to have much more than the 12 thousand people watching fisl. Also, the first speakers invitations have already been confirmed (sorry, but I am not going to mention who confirmed for now... let's see if we can create some expectation atmosphere :-) ).

Reviewing fisl6.0's pictures, I crossed by this one:



... which is a good picture of the cake distribution we had at the "Good Bye Woody Party" the Debian Brasil held there. Those days were a lot of fun! Here is the Debian Brasil Team at the conference:



I am already looking after to meet everybody again...